FYI if anyone else experienced this problem, we pinned this down to F-Prot. Disabling F-prot has resolved the problem.
Peter ----- Original Message ----- To: <[EMAIL PROTECTED]> Sent: Monday, September 08, 2003 1:07 PM Subject: Blue Screen on Imail with Declude Virus and Declude Junkmail > Hi all, > > hopefully someone can give us some insight to a problem related to BSOD we > have been encountering on our Imail server > > Server is running Imail 8.02 with Declude Virus with scanners below and > Declude Junkmail. Nothing else is running on the server. Declude Virus > Config appears at end of this email. > > Ipswitch claims this is not caused by Imail > > Declude Virus has the following virus scanners: > > F-Prot version 3.14a > Netshield 2000 SP1 > Grisoft AVG 7 Server Edition > > On access virus scanning is disabled. > > What seems to be happening is that when there is a high volume of mail > processed, the server will blue screen with: > > The computer has rebooted from a bugcheck. The bugcheck was: 0x0000007f > (0x0000000d, 0x00000000, 0x00000000, 0x00000000). Microsoft Windows 2000 > [v15.2195]. A dump was saved in: C:\WINNT\MEMORY.DMP. > > BSOD shows UNEXPECTED_KERNEL_MODE_TRAP > > At first we thought it was a hardware related issue since this was a new > server built for Imail. So we rebuilt another server and installed to that > new server but problem still persists. > > Examining logs (Declude and Imail) show nothing peculiar, and nothing is > reported in the event log except for the reboot and bugcheck. > > We then thought it may be related to the Imail Queue manager so to test this > we stopped Imail Queue Service for a while and simulated the problem by > sending large amounts of mail to the server and sure enough it crashed again > (with Queue Manager stopped). This should exclude Queue Manager. > > Server specs are: > > Intel 7501WV2 Motherboard with dual onboard Nics > Intel SRCZCR Raid Controller Card > 2 x 18 GB u320 Maxtor Raid 1 (OS) > 2 x 36 GB u320 Maxtor Raid 1 (Imail) > 1 GB Crucial RAM > > Any insight anyone? > > Thanks > > Peter Verzoni > > > > > > > # > # Declude Virus configuration file > # > > CODE XXXXXXXXXXXX > > # The "####" in the LOGFILE option automatically gets replaced with the > month/date > > LOGFILE e:\spool\vir####.log > LOGLEVEL HIGH > CONSOLE OFF > > # > # SCANFILE is the location of the command-line virus scanner. Note that it > # must include the full path. VIRUSCODE is the code that scanner returns if > # it finds a virus. > # > > SCANFILE1 D:\Progra~1\FSI\F-Prot\fpcmd.exe /TYPE /SILENT /NOMEM /ARCHIVE > /DUMB /NOBOOT /REPORT=report.txt > VIRUSCODE 3 > VIRUSCODE 6 > VIRUSCODE 8 > REPORT Infection > > > SCANFILE2 D:\Progra~1\Grisoft\AVG7\avg.exe /NOMEM /NOSELF /ARC > /REPORT=report.txt > VIRUSCODE2 2 > VIRUSCODE2 6 > REPORT2 identified > > SCANFILE3 C:\Progra~1\Common~1\networ~1\viruss~1\4.0.xx\scan.exe /ALL > /NOMEM /NOBEEP /NOBREAK /UNZIP /SILENT /NODDA /REPORT report.txt > VIRUSCODE3 13 > REPORT3 Found > > > # VIRDIR is the directory to move E-mails with viruses; by default, > # it is set to 'virus' (\IMail\spool\virus). > > VIRDIR e:\spool\virus > > # The MAXATONCE option limits the number of AV processes. For example, > # MAXATONCE 1 will only allow 1 AV process to run at once (IE for licensing > # purposes). A value of 0 (or commenting it out) allows unlimited processes > # to run at the same time. > > MAXATONCE 0 > > # > # The following options allow you to limit scanning to only incoming or > outgoing > # E-mail. > # > > INCOMING ON > OUTGOING ON > > # > # The ONACCESS option should be set to OFF unless you have an on-access > virus scanner > # that will be deleting attachments with viruses. > # > > ONACCESS OFF > > # > # The SCANNERTIMEOUT option lets you choose the number of seconds that > Declude will > # wait for the virus scanner to finish. The minimum value is 10 seconds. > Most > # scanners will not need to take that long. This option is mainly to > prevent > # defective scanners (that never finish) from interfering with your outgoing > E-mail. > # Raising this will NOT help if your virus scanner always times out. > # > > SCANNERTIMEOUT 60 > > # > # The SKIPEXT option will let you skip scanning of certain file extensions. > For > # example, a GIF file can't contain a virus, so there is no need to scan it. > # > > SKIPEXT GIF > SKIPEXT TXT > SKIPEXT JPG > SKIPEXT MPG > SKIPEXT PNG > > # > # The BANEXT option will let you ban file extensions. E-mails containing > attachments > # with these file extensions will be quarantined, and if you have a > BANnotify.EML file > # (version 1.29 and higher), it will be sent out. > # > > #BANEXT scr > #BANEXT pif > > > # > # Declude Virus Pro v1.27 and higher allow you to pre-scan HTML files. If > no dangerous > # code is detected, the virus scanner will not get called. This can cut > down on CPU usage > # tremendously. > # > > PRESCAN OFF > > # > # Declude Virus v1.29 and higher can block treat files using CLSID > extensions as viruses. > # This type of extension will force a certain type of program to be run, > while making the > # file appear to be a .TXT or other safe file. There is no known legitimate > reason to > # send this type of file through E-mail. > # > > BANCLSID ON > > # > # The FOOTER lines will add a footer to the bottom of E-mails that are > scanned. v1.30 and higher. > # > > # FOOTER --- > # FOOTER [This E-mail scanned for viruses by Declude Virus] > > # > # The DELETEVIRUSES option, when set to ON, will delete viruses, rather than > quarantine them. > # It is recommended to leave this at OFF. Works with v1.30 and higher. > # > > DELETEVIRUSES OFF > > # > # The DELIVERERRORS option, when set to ON, will treat errors from the virus > scanner as if no > # virus was found. When set to ON, this could cause viruses to get through > in rare situations, > # but will also prevent legitimate mail from being quarantined due to an > error in the scanner. > # It is recommend to leave this at ON. Works with v1.30 and higher. > # > > DELIVERERRORS ON > > BANCRVIRUSES OFF > > FORGINGVIRUS Klez > FORGINGVIRUS Mimail > FORGINGVIRUS Sobig > > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com.
